Flow Locks: Towards a Core Calculus for Dynamic Flow Policies

  • Niklas Broberg
  • David Sands
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3924)


Security is rarely a static notion. What is considered to be confidential or untrusted data varies over time according to changing events and states. The static verification of secure information flow has been a popular theme in recent programming language research, but information flow policies considered are based on multilevel security which presents a static view of security levels. In this paper we introduce a very simple mechanism for specifying dynamic information flow policies, flow locks, which specify conditions under which data may be read by a certain actor. The interface between the policy and the code is via instructions which open and close flow locks. We present a type and effect system for an ML-like language with references which permits the completely static verification of flow lock policies, and prove that the system satisfies a semantic security property generalising noninterference. We show that this simple mechanism can represent a number of recently proposed information flow paradigms for declassification.


Type System Policy Language Memory Location Covert Channel Credit Card Number 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Banerjee, A., Heintze, N., Riecke, J.: A core calculus of dependency. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 147–160 (January 1999)Google Scholar
  2. 2.
    Almeida Matos, A., Boudol, G.: On declassification and the non-disclosure policy. In: Proc. IEEE Computer Security Foundations Workshop (June 2005)Google Scholar
  3. 3.
    Askarov, A., Sabelfeld, A.: Security-typed languages for implementation of cryptographic protocols: A case study. In: di Vimercati, S.d.C., Syverson, P.F., Gollmann, D. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 197–221. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  4. 4.
    Banerjee, A., Naumann, D.A.: Stack-based access control and secure information flow. Journal of Functional Programming 15(2), 131–177 (2005)MathSciNetCrossRefMATHGoogle Scholar
  5. 5.
    Chong, S., Myers, A.C.: Security policies for downgrading. In: ACM Conference on Computer and Communications Security, pp. 198–209 (October 2004)Google Scholar
  6. 6.
    Denning, D.E., Denning, P.J.: Certification of programs for secure information flow. Comm. of the ACM 20(7), 504–513 (1977)CrossRefMATHGoogle Scholar
  7. 7.
    Hicks, M., Tse, S., Hicks, B., Zdancewic, S.: Dynamic updating of information-flow policies. In: Proc. Foundations of Computer Security Workshop (2005)Google Scholar
  8. 8.
    Mantel, H., Sands, D.: Controlled downgrading based on intransitive (non)interference. In: Chin, W.-N. (ed.) APLAS 2004. LNCS, vol. 3302, pp. 129–145. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  9. 9.
    Myers, A.C.: JFlow: Practical mostly-static information flow control. In: Proc. ACM Symp. on Principles of Programming Languages, pp. 228–241 (January 1999)Google Scholar
  10. 10.
    Myers, A.C., Liskov, B.: A decentralized model for information flow control. In: Proc. ACM Symp. on Operating System Principles, pp. 129–142 (October 1997)Google Scholar
  11. 11.
    Myers, A.C., Liskov, B.: Complete, safe information flow with decentralized labels. In: Proc. IEEE Symp. on Security and Privacy, pp. 186–197 (May 1998)Google Scholar
  12. 12.
    Myers, A.C., Liskov, B.: Protecting privacy using the decentralized label model. ACM Transactions on Software Engineering and Methodology 9(4), 410–442 (2000)CrossRefGoogle Scholar
  13. 13.
    Myers, A.C., Sabelfeld, A., Zdancewic, S.: Enforcing robust declassification. In: Proc. IEEE Computer Security Foundations Workshop, pp. 172–186 (June 2004)Google Scholar
  14. 14.
    Pinsky, S.: Absorbing covers and intransitive non-interference. In: Proc. IEEE Symp. On Security and Privacy, pp. 102–113 (May 1995)Google Scholar
  15. 15.
    Rushby, J.M.: Noninterference, transitivity, and channel-control security policies. Technical Report CSL-92-02, SRI International (1992)Google Scholar
  16. 16.
    Sabelfeld, A., Myers, A.C.: Language-based information-flow security. IEEE J. Selected Areas in Communications 21(1), 5–19 (2003)CrossRefGoogle Scholar
  17. 17.
    Sabelfeld, A., Sands, D.: Probabilistic noninterference for multi-threaded programs. In: Proc. IEEE Computer Security Foundations Workshop, pp. 200–214 (July 2000)Google Scholar
  18. 18.
    Sabelfeld, A., Sands, D.: Dimensions and principles of declassification. In: Proc. IEEE Computer Security Foundations Workshop (2005)Google Scholar
  19. 19.
    Tse, S., Zdancewic, S.: Run-time principals in information-flow type systems. In: Proc. Symposium on Security and Privacy (2004)Google Scholar
  20. 20.
    Tse, S., Zdancewic, S.: Designing a security-typed language with certificate-based declassification. In: Sagiv, M. (ed.) ESOP 2005. LNCS, vol. 3444, pp. 279–294. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  21. 21.
    Volpano, D., Smith, G., Irvine, C.: A sound type system for secure flow analysis. J. Computer Security 4(3), 167–187 (1996)CrossRefGoogle Scholar
  22. 22.
    Zdancewic, S., Myers, A.C.: Robust declassification. In: Proc. IEEE Computer Security Foundations Workshop, pp. 15–23 (June 2001)Google Scholar
  23. 23.
    Zheng, L., Myers, A.: Dynamic security labels and noninterference. In: Proc. Workshop on Formal Aspects in Security and Trust (2004)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Niklas Broberg
    • 1
  • David Sands
    • 1
  1. 1.Chalmers University of Technology and Göteborg UniversitySweden

Personalised recommendations